CVE-2026-29870 in context-engine project versions
Sumário (Inglês)
A directory traversal vulnerability in the agentic-context-engine project versions up to 0.7.1 allows arbitrary file writes via the checkpoint_dir parameter in OfflineACE.run. The save_to_file method in ace/skillbook.py fails to normalize or validate filesystem paths, allowing traversal sequences to escape the intended checkpoint directory. This vulnerability allows attackers to overwrite arbitrary files accessible to the application process, potentially leading to application corruption, privilege escalation, or code execution depending on the deployment context.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Responsável
MITRE
Reservar
04/03/2026
Divulgação
31/03/2026
Estado
Confirmado
Inscrições
VulDB provides additional information and datapoints for this CVE:
| ID | Vulnerabilidade | CWE | Exp | Con | CVE |
|---|---|---|---|---|---|
| 354416 | context-engine project versions skillbook.py save_to_file Travessia de Diretório | 22 | Não definido | Não definido | CVE-2026-29870 |
Descrição
CPE
CWE
CVSS
Explorações
História
Diferença
Relacionar
Inteligência de ameaças
API JSON
API XML
API CSV